ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8

General

Target

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
Size

372KB
MD5

7de1750d1c18abc7625d3aa4c0647d96
SHA1

474e30032017bd76d9c44df06b3f779f404d7823
SHA256

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8
SHA512

f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746
SSDEEP

6144:90tCnRyUFrHko+wU21RTJInao0scy+cAZOe/6VL11meQfah3WGhzfNHjrvq3KWSu:7RzeoswR9JoxiL/UmeQfah3WYxVhbLc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

korvbrcxcyan.exekorvbrcxcyan.exe

pid process

1696 korvbrcxcyan.exe
1548 korvbrcxcyan.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe

pid	process
1696	korvbrcxcyan.exe
1548	korvbrcxcyan.exe

pid	process
1992	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

korvbrcxcyan.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	korvbrcxcyan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdxahatjvkkr = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\korvbrcxcyan.exe\""	korvbrcxcyan.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exekorvbrcxcyan.exe

description	pid	process	target process
PID 1116 set thread context of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1696 set thread context of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe

Drops file in Windows directory 2 IoCs

Processes:

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe

description	ioc	process
File created	C:\Windows\korvbrcxcyan.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
File opened for modification	C:\Windows\korvbrcxcyan.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

korvbrcxcyan.exe

pid process

1548 korvbrcxcyan.exe

pid	process
1548	korvbrcxcyan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exekorvbrcxcyan.exe

description	pid	process
Token: SeDebugPrivilege	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
Token: SeDebugPrivilege	1548	korvbrcxcyan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exekorvbrcxcyan.exe

pid process

1116 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
1696 korvbrcxcyan.exe

pid	process
1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
1696	korvbrcxcyan.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exead3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exekorvbrcxcyan.exe

description	pid	process	target process
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 1116 wrote to memory of 700	1116	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
PID 700 wrote to memory of 1696	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	korvbrcxcyan.exe
PID 700 wrote to memory of 1696	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	korvbrcxcyan.exe
PID 700 wrote to memory of 1696	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	korvbrcxcyan.exe
PID 700 wrote to memory of 1696	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	korvbrcxcyan.exe
PID 700 wrote to memory of 1992	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	cmd.exe
PID 700 wrote to memory of 1992	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	cmd.exe
PID 700 wrote to memory of 1992	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	cmd.exe
PID 700 wrote to memory of 1992	700	ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe	cmd.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe
PID 1696 wrote to memory of 1548	1696	korvbrcxcyan.exe	korvbrcxcyan.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

korvbrcxcyan.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	korvbrcxcyan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	korvbrcxcyan.exe

C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
"C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
"C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\korvbrcxcyan.exe
C:\Windows\korvbrcxcyan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\korvbrcxcyan.exe
C:\Windows\korvbrcxcyan.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD3A9D~1.EXE
3⤵
- Deletes itself
PID:1992

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\korvbrcxcyan.exe
Filesize
372KB

MD5
7de1750d1c18abc7625d3aa4c0647d96

SHA1
474e30032017bd76d9c44df06b3f779f404d7823

SHA256
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8

SHA512
f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746

Download Submit
C:\Windows\korvbrcxcyan.exe
Filesize
372KB

MD5
7de1750d1c18abc7625d3aa4c0647d96

SHA1
474e30032017bd76d9c44df06b3f779f404d7823

SHA256
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8

SHA512
f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746

Download Submit
C:\Windows\korvbrcxcyan.exe
Filesize
372KB

MD5
7de1750d1c18abc7625d3aa4c0647d96

SHA1
474e30032017bd76d9c44df06b3f779f404d7823

SHA256
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8

SHA512
f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746

Download Submit
memory/700-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-59-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-61-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-64-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-66-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-67-0x0000000000418C9E-mapping.dmp

Download
memory/700-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-71-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-72-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/700-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1116-69-0x0000000000380000-0x0000000000383000-memory.dmp

Filesize
12KB

Download
memory/1116-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1116-55-0x0000000000380000-0x0000000000383000-memory.dmp

Filesize
12KB

Download
memory/1548-90-0x0000000000418C9E-mapping.dmp

Download
memory/1548-94-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1548-95-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1548-96-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1696-73-0x0000000000000000-mapping.dmp

Download
memory/1992-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads